Alex, hеllo there!
Ive builded test environmet for you, so i am using freeradius 2.1.12+dfsg-1.2 (on debian), and switch hp 2650. Ive just repeated your config, and have no problems with this. My test procurve ip 10.0.10.29, test freeradius ip 192.168.2.60.
procurve config:
Running configuration:
; J4899A Configuration Editor; Created on release #H.10.83
hostname "ProCurve Switch 2650"
interface 1
no lacp
exit
interface 2
no lacp
exit
interface 3
no lacp
exit
interface 4
no lacp
exit
interface 5
no lacp
exit
interface 6
no lacp
exit
interface 7
no lacp
exit
interface 8
no lacp
exit
interface 9
no lacp
exit
interface 10
no lacp
exit
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 11-50
ip address dhcp-bootp
no untagged 1-10
exit
vlan 100
name "success"
untagged 1-10
exit
vlan 200
name "fail"
exit
aaa authentication port-access eap-radius
radius-server host 192.168.2.60 key test
aaa port-access authenticator 1-10
aaa port-access authenticator 1 unauth-vid 200
aaa port-access authenticator 2 unauth-vid 200
aaa port-access authenticator 3 unauth-vid 200
aaa port-access authenticator 4 unauth-vid 200
aaa port-access authenticator 5 unauth-vid 200
aaa port-access authenticator 6 unauth-vid 200
aaa port-access authenticator 7 unauth-vid 200
aaa port-access authenticator 8 unauth-vid 200
aaa port-access authenticator 9 unauth-vid 200
aaa port-access authenticator 10 unauth-vid 200
aaa port-access authenticator active
/etc/freeradius/users:
<...>
testuser User-Password := test
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "100"
<...>
/etc/freeradius/radiusd.conf:
<...>
client switch {
ipaddr = 10.0.10.29
secret = test
require_message_authenticator = no
nastype = other
}
<...>
And i`ve used this manual, to enable 8021x in windows:
http://windows.microsoft.com/en-us/windows/enable-802-1x-authentication#1TC=windows-7
But, I`ve disabled usage of logged user creds.
So, if user creds are correct, i have this message in /var/log/freeradius/radius.log
tail -f /var/log/freeradius/radius.log
Fri Sep 5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep 5 12:54:14 2014 : Auth: Login OK: [testuser/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)
and on my switch ive got:
ProCurve Switch 2650(eth-1)# sh vlans ports 1
Status and Counters - VLAN Information - for ports 1
802.1Q VLAN ID Name Status Voice
-------------- ------------ ------------ -----
100 success Port-based No
If creds are incorrect:
Fri Sep 5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 0 via TLS tunnel)
Fri Sep 5 12:56:06 2014 : Auth: Login incorrect: [sasdasd/<via Auth-Type = EAP>] (from client switch port 1 cli b4-99-ba-5a-bb-65)
ProCurve Switch 2650(eth-1)# sh vlans ports 1
Status and Counters - VLAN Information - for ports 1
802.1Q VLAN ID Name Status Voice
-------------- ------------ ------------ -----
200 fail Port-based No
maybe you havent enabled 8021x in windows? I hope this helps to you man.
Best Answer
EAPOL is done at layer 2, so it's frames not packets, and should be passed through except when the second switch has 802.1X enabled. If 802.1X is enabled on the second switch then it will either not allow clients to authenticate (if pae authenticator is not enabled on the port facing the host) or act as the authenticator (thus the switch you want to act as the authenticator won't see the frames).
The behavior could vary with cheap/low-end switches that don't handle 01:80:c2 frames as expected.